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(57) Methods and apparatus for use in securely pro- 
visioning a mobile communication device in a wireless 
local area network (WLAN) having a plurality of wireless 
access points (APs) are described. In one illustrative 
method, a provisioning procedure is performed between 
the mobile communication device and the WLAN via the 
provisioning wireless AP while the mobile communica- 
tion device is positioned within a provisioning radio fre- 
quency (RF) coverage region of the provisioning wireless 
AP. However, the provisioning RF coverage region is oth- 
erwise confined so that a plurality of other mobile com- 
munication devices of the WLAN are restricted from ac- 
cess therefrom during the provisioning procedure. The 
provisioning RF coverage region may be confined by pro- 
viding the provisioning wireless AP within a secured 
room, by providing an electromagnetic shield around the 
provisioning wireless AP, or both, as examples. 
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Description 

BACKGROUND 

Field Of The Technology 

[0001 ] The present disclosure relates generally to mo- 
bile communication devices which communicate with 
wireless communication networks such as wireless local 
area networks (WLANs), and more particularly to secure 
provisioning procedures for mobile communication de- 
vices which operate in WLANs. 

Description Of The Related Art 

[0002] In wireless communication networks, such as 
wireless local area networks (WLANs) which operate in 
accordance with 802.1 1 -based standards, secure provi- 
sioning of information "over-t he-air" for mobile commu- 
nication devices has not been adequately addressed. 
Provisioning information may be or include various sen- 
sitive information, such as authentication keys, pass- 
words, or network identifiers. If such sensitive information 
is sent over-the-air by the WLAN in a provisioning pro- 
cedure, it may be exposed and vulnerable to outside us- 
ers. 

[0003] For example, network identifiers may be utilized 
by mobile communication devices to identify the appro- 
priate WLAN to connect with and obtain services. For 
802.1 1 -based WLANs, the network identifiers are called 
extended service set identifiers (ESSIDs). After a mobile 
device is manufactured and sold, the ESSID of the WLAN 
of the mobile device needs to be "provisioned" or saved 
in memory of the mobile device. Typically, the ESSID is 
entered in by the end user through a keyboard of the 
mobile device. It is desirable, however, to minimize data 
entry steps for provisioning a mobile device. Thus, it 
would be more desirable to have the WLAN itself provi- 
sion the mobile device with the ESSID, but the mobile 
device needs the ESSID of the WLAN in order to initially 
connect with its WLAN. If the ESSID is sent over-the-air 
by the WLAN in a provisioning procedure, it is exposed 
and vulnerable to outside users who may gain access to 
the private WLAN. 

[0004] Accordingly, what are needed are methods and 
apparatus for securely provisioning mobile communica- 
tion devices in WLANs. 

SUMMARY 

[0005] Methods and apparatus for use in securely pro- 
visioning a mobile communication device in a wireless 
local area network (WLAN) having a plurality of wireless 
access points (APs) are described. In one illustrative 
method, a provisioning procedure is performed between 
the mobile communication device and the WLAN via the 
provisioning wireless AP while the mobile communica- 
tion device is positioned within a provisioning radio fre- 



quency (RF) coverage region of the provisioning wireless 
AP. However, the provisioning RFcoverage region is oth- 
erwise confined so that a plurality of other mobile com- 
munication devices of the WLAN are restricted from ac- 
5 cess therefrom during the provisioning procedure. The 
provisioning RF coverage region may be confined by pro- 
viding the provisioning wireless AP within a secured 
room, by providing an electromagnetic shield around the 
provisioning wireless AP, or both, as examples. 

10 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0006] Embodiments of present invention will now be 
described by way of example with reference to attached 
15 figures, wherein: 

FIG. 1 is a block diagram which illustrates a commu- 
nication system which includes a communication 
network having a wireless local area network 
20 (WLAN) with a plurality of wireless access points 
(APs); 

FIG. 2 is a more detailed schematic diagram of the 
mobile communication devices of FIG. 1, namely, a 
mobile station of the preferred embodiment; 
25 FIG. 3 is a block diagram which illustrates a first tech- 
nique that utilizes an RF shielded secured room 
structure for provisioning a mobile communication 
device with provisioning information from the WLAN 
via a provisioning wireless AP; 
30 FIG. 4 is a block diagram which illustrates a second 
technique that utilizes a secured room structure for 
provisioning a mobile communication device with 
provisioning information from the WLAN via the pro- 
visioning wireless AP; 
35 FIG. 5 is a flowchart of a secure provisioning method 
for a mobile communication device to obtain provi- 
sioning information from a WLAN viathe provisioning 
wireless AP; 

FIG. 6 is a flowchart of a specific secure provisioning 
40 procedure for a mobile device to obtain a primary 
extended set service identification (ESSID) from the 
WLAN via the provisioning wireless AP; 
FIG. 7 is a flowchart of a specific provisioning pro- 
cedure for the provisioning wireless AP to provide 
45 the mobile device with the primary ESSID; 

FIG. 8 is a schematic block diagram of basic com- 
ponents of a provisioning wireless AP which may 
serve as an RF coverage shaping mechanism in the 
WLAN to provide a technique for securely provision- 
50 ing a mobile communication device with provisioning 
information from the WLAN; 
FIG. 9 is a schematic diagram of wireless transceiver 
components of the provisioning wireless AP of FIG. 
8 which are adapted to perform an RF coverage 
55 shaping technique for the secure provisioning of a 
mobile communication device with provisioning in- 
formation; 

FIG. 10 is a flowchart for describing a method for 
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use in configuring the provisioning wireless AP with 
use of the RF coverage shaping mechanism; and 
FIG. 1 1 is a block diagram which illustrates another 
technique for provisioning a mobile communication 
device with provisioning information from a WLAN 
within a secured room structure. 

DETAILED DESCRIPTION OFTHE PREFERRED EM- 
BODIMENTS 

[0007] Methods and apparatus for use in securely pro- 
visioning a mobile communication device in a wireless 
local area network (WLAN) having a plurality of wireless 
access points (APs) are described. In one illustrative 
method, a provisioning procedure is performed between 
the mobile communication device and the WLAN via the 
provisioning wireless AP while the mobile communica- 
tion device is positioned within a provisioning radio fre- 
quency (RF) coverage region of the provisioning wireless 
AP. However, the provisioning RF coverage region is oth- 
erwise confined so that a plurality of other mobile com- 
munication devices of the WLAN are restricted from ac- 
cess therefrom during the provisioning procedure. The 
provisioning RF coverage region may be confined by pro- 
viding the provisioning wireless AP within a secured 
room, by providing an electromagnetic shield around the 
provisioning wireless AP, or both, as examples. 
[0008] FIG. 1 is a block diagram which illustrates a 
communication system 1 00 which includes a public net- 
work 102 (e.g. the Internet) and a private network 104. 
A firewall 124 may be provided in private network 104 
for preventing unauthorized access from users in public 
network 1 02. In the present embodiment, private network 
1 04 is or includes a wireless local area network (WLAN). 
In the WLAN, terminals may connect to their associated 
networks through access points (APs) as shown. Pref- 
erably, at least some of the APs are wireless APs of the 
WLAN and at least some of the terminals are mobile/ 
wireless communication devices which interface and 
connectthrough these wireless APs. Such terminals and 
APs may operate in accordance with well-known IEEE 
802. 1 1 standards. The terminals shown in public network 
1 02 include terminals 1 1 0 and 1 1 2 which have interfaced 
with AP 1 06, and terminals 1 1 4, 1 1 6, and 1 1 8 which have 
interfaced with AP 108. The terminals shown in private 
network 1 04 include terminals 1 34, 1 36, 1 38 which have 
interfaced with AP 1 90, and terminals 1 44 and 1 46 which 
have interfaced with AP 142. 

[0009] Private network 1 04 which includes the WLAN 
provides various data and communication services to its 
terminals. For example, private network 1 04 may provide 
for voice telephony communication services for its termi- 
nals with use of Voice over IP (VoIP) communications. 
For these types of services, private network 1 04 may 
utilize a VoIP server architecture for VoIP communication 
sessions, and/or an e-mail server architecture for e-mail 
message communications, as examples. For these pur- 
poses, communication system 100 may also include at 



least one VoIP or Session Initiation Protocol (SIP) proxy 
server. In the present embodiment, communication sys- 
tem 100 has a VoIP or SIP proxy server 121 in public 
network 1 02 and a Vol P or SI P proxy server 1 30 in private 

5 network 104. Note that some communication applica- 
tions utilized by terminals, such VoIP applications, re- 
quire the use of SIP. SIP is well-documented in standard 
documents such as Request For Comments (RFC) 3261 . 
[0010] Private network 104 also has a provisioning 

10 server 128 which assists in performing wireless network 
provisioning procedures with terminals for their receipt 
and programming of provisioning information (e.g. enter- 
prise-specific ESSIDs), which is described in more detail 
below in relation to FIGs. 3-10. Further, an AP 190 in 

15 private network 1 04 may be reserved for use as a special 
provisioning wireless AP to be described later. 
[0011] Referring now to FIG. 2, electrical components 
of a typical mobile communication device 202 (e.g. a mo- 
bile station) which operates with wireless APs of com- 

20 munication system 1 00 of FIG. 1 will be described. Mobile 
device 202 may be representative of one or more termi- 
nals shown and described in relation to FIG. 1. Mobile 
device 202 is preferably a two-way communication de- 
vice having at least voice and advanced data communi- 

25 cation capabilities, including the capability to communi- 
cate with other computer systems. Also preferably, mo- 
bile device 202 is a wireless communication device which 
operates in accordance with an IEEE 802.1 1 standards. 
Depending on the functionality provided by mobile device 

30 202, it may be referred to as a data messaging device, 
a two-way pager, a cellular telephone with data messag- 
ing capabilities, a wireless Internet appliance, or a data 
communication device (with or without telephony capa- 
bilities). 

35 [0012] As shown in FIG. 2, mobile device 202 is adapt- 
ed to wirelessly communicate with wireless APs such as 
AP 1 90. For communication with such wireless APs, mo- 
bile device 202 utilizes communication subsystem 211. 
Depending on the type of device, mobile device 202 may 

40 also be adapted to wirelessly communicate with other 
systems such as cellular telecommunication systems. 
With such configuration, mobile device 202 may be re- 
ferred to as a "dual mode" mobile device. Although mobile 
device 202 may have separate and independent subsys- 

45 terns for these purposes, at least some portions or com- 
ponents of these otherwise different subsystems may be 
shared where possible. Note, however, that the provi- 
sioning techniques of the present disclosure do not re- 
quire that mobile device 202 be any type of dual mode 

50 device. 

[0013] Communication subsystem 21 1 includes a re- 
ceiver 212, a transmitter 214, and associated compo- 
nents, such as one or more (preferably embedded or 
internal) antenna elements 21 6 and 21 8, local oscillators 
55 (LOs) 21 3, and a processing module such as a baseband 
(BB) and media access control (MAC) processing mod- 
ule 220. As will be apparent to those skilled in the field 
of communications, the particular design of communica- 
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tion subsystem 21 1 depends on the communication net- 
work in which mobile device 202 is intended to operate. 
In the present disclosure, communication subsystem 21 1 
(including its associated processor/processing compo- 
nents) are operative in accordance with IEEE 802.11 
standards. 

[001 4] Mobile device 202 may send and receive com- 
munication signals through the network after required 
network procedures have been completed. Signals re- 
ceived by antenna 21 6 through the network are input to 
receiver 21 2, which may perform such common receiver 
functions as signal amplification, frequency down con- 
version, filtering, channel selection, and like, and in ex- 
ample shown in FIG. 2, analog-to-digital (A/D) conver- 
sion. A/D conversion of a received signal allows more 
complex communication functions such as demodulation 
and decoding to be performed in BB/MAC processing 
module 220. In asimilar manner, signalsto be transmitted 
are processed, including modulation and encoding, for 
example, by BB/MAC processing module 220. These 
processed signals are input to transmitter 21 4 for digital- 
to-analog (D/A) conversion, frequency up conversion, fil- 
tering, amplification and transmission through the net- 
work via antenna 218. BB/MAC processing module 220 
not only processes communication signals, but may also 
provide for receiver and transmitter control. Note that re- 
ceiver 212 and transmitter 214 may share one or more 
antennas through an antenna switch (not shown in FIG. 
2), instead of having two separate dedicated antennas 
216 and 218 as shown. 

[001 5] Since mobile device 202 may be a portable bat- 
tery-powered device, it also includes a battery interface 
254 for receiving one or more rechargeable batteries 256. 
Such a battery 256 provides electrical power to most if 
not all electrical circuitry in mobile device 202, and battery 
interface 254 provides for a mechanical and electrical 
connection for it. Battery interface 254 is coupled to a 
regulator (not shown in FIG. 2) that provides a regulated 
supply voltage V+ to all of the circuitry. 
[0016] Mobile device 202 includes a microprocessor 
238 (one type of processor or controller) that controls 
overall operation of mobile device 202. Communication 
functions, including at least data and voice communica- 
tions, are performed through communication subsystem 
211. Microprocessor 238 also interacts with additional 
device subsystems such as a display 222, a flash mem- 
ory 224, a random access memory (RAM) 226, auxiliary 
input/output (I/O) subsystems 228, a serial port 230, a 
keyboard 232, a speaker 234, a microphone 236, a short- 
range communications subsystem 240, and any other 
device subsystems generally designated at 242. Some 
of the subsystems shown in FIG. 2 perform communica- 
tion-related functions, whereas other subsystems may 
provide "resident" or on-device functions. Notably, some 
subsystems, such as keyboard 232 and display 222, for 
example, may be used for both communication-related 
functions, such as entering a text message for transmis- 
sion over a communication network, and device-resident 



functions such as a calculator or task list. Operating sys- 
tem software used by microprocessor 238 is preferably 
stored in a persistent store such as flash memory 224, 
which may alternatively be a read-only memory (ROM) 

5 or similar storage element (not shown). Those skilled in 
the art will appreciate that the operating system, specific 
device applications, or parts thereof, may be temporarily 
loaded into a volatile store such as RAM 226. 
[0017] Microprocessor 238, in addition to its operating 

10 system functions, preferably enables execution of soft- 
ware applications on mobile device 202. A predetermined 
set of applications that control basic device operations, 
including at least data and voice communication appli- 
cations, will normally be installed on mobile device 202 

15 during its manufacture. A preferred application that may 
be loaded onto mobile device 202 may be a personal 
information manager (PIM) application having the ability 
to organize and manage data items relating to user such 
as, but not limited to, e-mail, calendar events, voice mails, 

20 appointments, and task items. Naturally, one or more 
memory stores are available on mobile device 202 and 
SIM 256 to facilitate storage of PIM data items and other 
information. 

[0018] The PIM application preferably has the ability 

25 to send and receive data items via the wireless network. 
In a preferred embodiment, PIM data items are seam- 
lessly integrated, synchronized, and updated via the 
wireless network, with the wireless device user's corre- 
sponding data items stored and/or associated with a host 

30 computer system thereby creating a mirrored host com- 
puter on mobile device 202 with respect to such items. 
This is especially advantageous where the host computer 
system is the wireless device user's office computer sys- 
tem. Additional applications may also be loaded onto mo- 

35 bile device 202 through network, an auxiliary I/O subsys- 
tem 228, serial port 230, short-range communications 
subsystem 240, or any other suitable subsystem 242, 
and installed by a user in RAM 226 or preferably a non- 
volatile store (not shown) for execution by microproces- 

40 sor238. Such flexibility in application installation increas- 
es the functionality of mobile device 202 and may provide 
enhanced on-device functions, communication-related 
functions, or both. For example, secure communication 
applications may enable electronic commerce functions 

45 and other such financial transactions to be performed 
using mobile device 202. 

[0019] In a data communication mode, a received sig- 
nal such as a text message, an e-mail message, or web 
page download will be processed by communication sub- 

50 system 21 1 and input to microprocessor 238. Microproc- 
essor 238 will preferably further process the signal for 
output to display 222 or alternatively to auxiliary I/O de- 
vice 228. A user of mobile device 202 may also compose 
data items, such as e-mail messages, for example, using 

55 keyboard 232 in conjunction with display 222 and possi- 
bly auxiliary I/O device 228. Keyboard 232 is preferably 
a complete alphanumeric keyboard and/or telephone- 
type keypad. These composed items may be transmitted 
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over a communication network through communication 
subsystem 211. For voice communications, the overall 
operation of mobile device 202 is substantially similar, 
except that the received signals would be output to 
speaker 234 and signals for transmission would be gen- 
erated by microphone 236. Alternative voice or audio I/O 
subsystems, such as a voice message recording sub- 
system, may also be implemented on mobile device 202. 
Although voice or audio signal output is preferably ac- 
complished primarily through speaker 234, display 222 
may also be used to provide an indication of the identity 
of a calling party, duration of a voice call, or other voice 
call related information, as some examples. 
[0020] Serial port 230 in FIG. 2 is normally implement- 
ed in a personal digital assistant (PDA)-type communi- 
cation device for which synchronization with a user's 
desktop computer is a desirable, albeit optional, compo- 
nent. Serial port 230 enables a user to set preferences 
through an external device or software application and 
extends the capabilities of mobile device 202 by providing 
for information or software downloads to mobile device 
202 other than through a wireless communication net- 
work. The alternate download path may, for example, be 
used to load an encryption key onto mobile device 202 
through a direct and thus reliable and trusted connection 
to thereby provide secure device communication. Short- 
range communications subsystem 240 of FIG. 2 is an 
additional optional component that provides for commu- 
nication between mobile device 202 and different sys- 
tems or devices, which need not necessarily be similar 
devices. For example, subsystem 240 may include an 
infrared device and associated circuits and components, 
or a Bluetooth™ communication module to provide for 
communication with similarly enabled systems and de- 
vices. Bluetooth™ is a registered trademark of Bluetooth 
SIG, Inc. 

[0021] Although a specific mobile device 202 has just 
been described, any suitable mobile communication de- 
vice orterminal may be part of the inventive methods and 
apparatus which will be described in fuller detail below. 
Note that many components of mobile device 202 shown 
and described may not be included. 
[0022] FIG. 3 is a block diagram which illustrates a 
secure provisioning area 340 within a coverage restric- 
tion apparatus 300 for provisioning of a mobile commu- 
nication device by a wireless network (i.e. WLAN). As 
shown in FIG. 3, several components are the same as 
those shown and described in relation to FIG. 1 where 
reference numerals depict like components. In FIG. 3, a 
top down view of a wall structure 31 0 and a secure access 
entry door 320 connected to wall structure 310 is shown. 
Both wall structure 31 0 and entry door 320 are preferably 
constructed of a conductive electromagnetic shielding 
material or RF absorption material. When combined with 
a ceiling and floor (or subfloor) that is preferably con- 
structed of similar conductive electromagnetic shielding 
or RF absorption material, the total enclosed structure 
forms one exemplary type of a coverage restriction ap- 



paratus 300. 

[0023] Conductive electromagnetic shielding material 
of wall structure 31 0 and entry door 320 may be, for ex- 
ample, copper, silver, gold, nickel or other highly conduc- 
5 tive material. RF absorption material may be, for exam- 
ple, some form of commercially-available carbon orother 
composition that is designed specifically to reduce radi- 
ated RF energy at specific or broad frequency ranges. 
The walls of wall structure 310 may be constructed en- 
10 tirely of the conductive electromagnetic shielding or RF 
absorption material, be lined with solid layers of the con- 
ductive electromagnetic shielding or RF absorption ma- 
terial, or be lined with layers of slotted conductive elec- 
tromagnetic shielding or RF absorption material. Physi- 
cs cal gaps around the door, walls, ceiling and floor must 
be minimized or omitted by placing flexible gaskets or 
other devices constructed of similar material to that used 
in walls, ceiling and floor of coverage restriction appara- 
tus 300. Gaps around coverage restriction apparatus 300 
20 should not exceed a predefined length or width in order 
to maintain a minimum level of RFshielding or absorption 
integrity. 

[0024] Wireless AP 190 is physically located within 
coverage restriction apparatus 300. Wireless AP 190 is 

25 a provisioning wireless AP that is coupled to a public or 
private WLAN for provisioning purposes. Mobile commu- 
nications devices located outside coverage restriction 
apparatus 300 may not be capable of RF communica- 
tions with any AP or other RF device located within cov- 

30 erage restriction apparatus 300. Preferably, most if not 
all other wireless APs of the WLAN are not capable of 
being utilized for provisioning. 

[0025] Physical entrance to secure provisioning area 
340 is achieved by entering through entry door 320 after 

35 an authentication procedure. Restricted access of the 
coverage restriction area is provided by utilizing a secu- 
rity access controller 330 for proper authentication. In 
this example, wall structure 31 0, entry door 320 and se- 
curity access controller 330 together form a secured 

40 room structure. Security access controller 330 may be 
or include a wireless access control unit, a keypad entry 
control unit (identification and/or password), an electron- 
ic push-button or manual key which unlocks entry door 
320 by human (e.g. security guard) intervention, or a fin- 

45 gerprint or retina scanner unit, as examples, that controls 
the opening of entry door 320. In general, a received 
identification and/or password of the accessing party is 
compared with a known identification and/or password 
and, if there is a match, security access controller 330 

50 causes entry door 320 to be unlocked and/or opened; 
otherwise entry door 320 remains locked and unopened. 
[0026] The area within the wall structure 31 0 and entry 
door 320 represents the secure provisioning area 340. 
The technique in this example utilizes the electromag- 

55 netically shielding or RF absorption properties of cover- 
age restriction apparatus 300 as a method of providing 
RF coverage security during the provisioning procedure, 
and the security access 330 to provide restricted access 
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to the secure provisioning area 340. RF communications 
within coverage restriction apparatus 300 may be limited 
to mobile communication devices and APs located within 
coverage restriction apparatus 300. Again, mobile com- 
munications devices and APs located outside coverage 
restriction apparatus 300 may not be capable of RF com- 
munications with any device located within coverage re- 
striction apparatus 300. 

[0027] Once access to secure provisioning area 340 
is gained, and a mobile communications device 134 is 
placed within the secure provisioning area 340, entry 
door 320 is closed before a secure provisioning proce- 
dure is performed. The secure provisioning procedure, 
such as the one specifically described in relation to the 
flowcharts of FIGs. 5, 6 and 7, may then be initiated. The 
provisioning procedure is adaptedto provide mobile com- 
munication device 134 with provisioning information, pro- 
grammed or stored in memory, which may be utilized for 
services within the WLAN. An example of such provision- 
ing information is a network identification or ESSID, but 
any suitable provisioning information may provided. 
Once the provisioning procedure is completed, mobile 
communications device 134 may be removed from the 
coverage restriction apparatus 300 and subsequently ac- 
cess the WLAN for services. 

[0028] As another example, FIG. 4 is a block diagram 
which illustrates a controlled, reduced RF coverage area 
440 within a restricted area 402 for provisioning of a mo- 
bile communication device within a wireless network (i.e. 
WLAN). Controlled RF coverage area 440 is a substan- 
tially smaller RF coverage area than RF coverage areas 
of the plurality of wireless APs of the WLAN utilized for 
normal communication. The combination of controlled 
RF coverage area 440 and restricted area 402 provide 
a different type of coverage restriction apparatus 400 
than that shown and described in relation to FIG. 3. As 
shown in FIG. 4, several components are the same as 
those shown and described in relation to FIG. 1 where 
reference numerals depict like components. 
[0029] In particular, FIG. 4 shows a top down view of 
a wall structure 41 0 and a secure access entry door 420 
connected to wall structure 41 0. The area surrounded by 
wall structure 41 0 and entry door 420 may be covered 
by a ceiling structure or be constructed of walls or other 
barriers that extend high enough above the structure's 
base to prevent entry by means other than by passing 
through entry door 420. Wall structure 410 is preferably 
attached securely to a floor (or subfloor) structure or 
some other means that will prevent access to restricted 
area 402 other than by passing through entry door 420. 
[0030] Physical entrance to restricted area 402 is 
achieved by entering through entry door 420 after an au- 
thentication procedure. Restricted access of the cover- 
age restriction area is provided by utilizing a security ac- 
cess controller 430 for proper authentication. In this ex- 
ample, wall structure 410, entry door 420 and security 
access controller 430 together form a secured room 
structure. Security access controller 430 may be or in- 



clude a wireless access control unit, a keypad entry con- 
trol unit (identification and/or password), an electronic 
push-button or manual key which unlocks entry door 420 
by human (e.g. security guard) intervention, or a finger- 
5 print or retina scanner unit, as examples, that controls 
the opening of entry door 420. In general, a received 
identification and/or password of the accessing party is 
compared with a known identification and/or password 
and, if there is a match, security access controller 430 
causes entry door 420 to be unlocked and/or opened; 
otherwise entry door 420 remains locked and unopened. 
[0031] Within restricted area 402 is the controlled RF 
coverage area 440 that is produced by setting an RF 
transmit output power level of provisioning wireless AP 
190 within a secured room structure. The controlled RF 
coverage area 440 preferably does not extend beyond 
any or most boundaries of restricted area 402, indicating 
that only those mobile communication devices within re- 
stricted area 402 would be capable of communicating via 
RF and obtaining secure provisioning access. Prefera- 
bly, most if not all other wireless APs of the WLAN are 
not capable of being utilized for provisioning. 
[0032] As apparent, the technique in this example uti- 
lizes the physical structure and security access controller 
430, as well as the controlled RF coverage area 440, for 
providing coverage security during the provisioning pro- 
cedure. RF communications within coverage restriction 
apparatus 300 may be limited to mobile communication 
devices and APs located within coverage restriction ap- 
paratus 400. Mobile communications devices and APs 
located outside coverage restriction apparatus 400 may 
not be capable of RF communications with provisioning 
wireless AP 190 located within coverage restriction ap- 
paratus 400. 

[0033] Once access to restricted area 402 is gained, 
and a mobile communications device 1 34 is placed within 
the secure provisioning area 440, entry door420 is closed 
before a secure provisioning procedure is performed. 
The secure provisioning procedure, such as the one spe- 
cifically described in relation to the flowcharts of FIGs. 5, 
6 and 7, is then initiated. The provisioning procedure is 
adapted to provide mobile communication device 134 
with provisioning information, programmed or stored in 
memory, which may utilized for services within the 
WLAN. An example of such provisioning information is 
a network identification or ESSID, but any suitable pro- 
visioning information may provided. Once the provision- 
ing procedure is completed, mobile communications de- 
vice 134 may be removed from the coverage restriction 
apparatus 400 and subsequently access the WLAN for 
services. 

[0034] Another technique for providing a secure pro- 
visioning method may be a combination of the technique 
shown in FIG. 3 and that shown in FIG. 4. A conductive 
electromagnetic shielding or RF absorption enclosure 
similar to that described for coverage restriction appara- 
tus 300 of FIG. 3 may be used in conjunction with a pro- 
visioning wireless AP 190 of FIG. 4 that is transmitting 
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an RF signal at a reduced RF power level to produce a 
controlled RF coverage area 440 of FIG. 4. Such a tech- 
nique that utilizes a conductive electromagnetic shielding 
or RF absorption enclosure and a provisioning wireless 
AP transmitting at a reduced RF power level would pref- 
erably include a security access for achieving restricted 
access entrance to provide a secure provisioning area. 
[0035] FIG. 5 is a flowchart of a method for securely 
provisioning a mobile communication device (e.g. one 
type of wireless terminal) to provide provisioning infor- 
mation from a wireless communication network (e.g. an 
802.1 1 -based wireless local area network (WLAN)) via 
a provisioning wireless AP, taken from the network per- 
spective. The method of FIG. 5 may be performed at least 
in part by the WLAN and/or the APs of the WLAN, and/or 
be embodied in a computer program product which in- 
cludes a computer readable medium (e.g. memory) and 
computer instructions stored in the storage medium 
which are executable by one or more processors. The 
steps shown in the flowchart of FIG. 5 describe a general 
process for providing security during a provisioning pro- 
cedure. The process described in the flowchart shown in 
FIG. 5 makes use of a coverage restriction apparatus, 
such as those described previously in relation to FIGs. 3 
and 4, and the particular steps and sequence of steps of 
the method may vary depending on the specific security 
architecture provided. 

[0036] The discussion of FIG. 5 may make reference 
to FIGs. 1,3,4 and 5 in combination. Beginning at a start 
block 502 of FIG. 5 a notification of an intent to provision 
a mobile communication device is received (step 504 of 
FIG. 5). At this time, the opportunity for the end user/ 
mobile device to provision the mobile device is identified. 
If the end user is granted access to the secure provision- 
ing area (e.g. area 340 of FIG. 3 or area 402 of FIG. 4) 
of the provisioning wireless AP (step 506 of FIG. 5), the 
then the provisioning process of the flowchart will con- 
tinue; otherwise any connection for provisioning in the 
network is denied (step 514 of FIG. 5). The test in step 
506 may be performed at least in part with use of a se- 
curity access controller (e.g. security access controller 
330 of FIG. 3 or controller 430 of FIG. 4). The security 
access controller may be or include a wireless access 
control unit, a keypad entry control unit (identification 
and/or password), an electronic push-button or manual 
key which unlocks an entry door by human (e.g. security 
guard) intervention, or afingerprint or retina scanner unit, 
as examples, that controls the opening of the entry door. 
In general, a received identification and/or password of 
the accessing party is compared with a known identifica- 
tion and/or password and, if there is a match, the security 
access controller causes the entry door to be unlocked 
and/or opened; otherwise the entry door remains locked 
and unopened. 

[0037] If the end user is granted access to the secure 
provisioning area of the provisioning wireless AP (step 
506 of FIG. 5), then the user will enter the restricted area 
and place the mobile device in a physical location within 



the secure provisioning area so that the mobile device 
may communicate via RF signals with the provisioning 
wireless AP. Using a coverage restriction apparatus of 
the type in FIG. 3, the mobile device may be placed an- 

5 ywhere within the secure provisioning area 340, assum- 
ing AP 1 90 is transmitting at nominal RF transmit power 
level and coverage area is less than the open air RF 
coverage area generated by AP 190. Using a coverage 
restriction apparatus of the type in FIG. 4, the user must 

10 place the mobile device within controlled RF coverage 
area 440 of provisioning wireless AP 1 90. Once the mo- 
bile device is placed within the coverage area of provi- 
sioning wireless AP, the mobile device may then com- 
municate with the provisioning wireless AP to gain ac- 

15 cess to the WLAN (or provisioning VLAN of the WLAN) 
and request provisioning services. 
[0038] The secure provisioning method may then de- 
termine if authorization of the mobile device is necessary 
(step 508 of FIG. 5). If authorization is necessary at step 

20 508, the provisioning equipment will then verify authori- 
zation of the mobile device (step 510 of FIG. 5). If au- 
thorization fails at step 510, the provisioning procedure 
is denied (step 514 of FIG. 5) and normal operation will 
return (step 518 of FIG. 5). Once the mobile device is 

25 authorized to access the network at step 51 0 or if author- 
ization is not necessary at step 508, the provisioning pro- 
cedure will commence (step 512 of FIG. 5). During the 
provisioning procedure, the provisioning wireless AP will 
transfer provisioning information to the mobile device 

30 (step 51 6 of FIG. 5). Provisioning information may be or 
include network server keys, network identifications, 
server names and IP addresses, and other sensitive in- 
formation. Once the provisioning wireless AP has suc- 
cessfully transferred all necessary provisioning informa- 

35 tion to the mobile device, the mobile device may proceed 
to utilize the WLAN for services (step 51 8 of FIG. 5). Note 
that the optional authorization steps 508 and 510 may 
be part of the test in step 506 for entrance to the restricted 
area. 

40 [0039] FIG. 6 is a flowchart of a secure method for 
provisioning a mobile communication device with specific 
provisioning information, namely a primary extended 
service set identifier (ESSID), from a wireless communi- 
cation network (e.g. an 802.1 1 -based wireless local area 

45 network (WLAN)), taken from the mobile device perspec- 
tive. The method of FIG. 6 may be performed by the mo- 
bile device, and/or be embodied in a computer program 
product which includes a computer readable medium 
(e.g. memory) and computer instructions stored in the 

50 computer readable medium which are executable by one 
or more processors. The flowchart of FIG. 6 will be dis- 
cussed in combination with the components of the com- 
munication system of FIG. 1 and the secure access dia- 
grams in FIGs. 3 and 4. 

55 [0040] Before describing the flowchart of FIG. 6 in de- 
tail, it is noted that a primary virtual local area network 
(VLAN) of the WLAN is adapted to provide one or more 
services (e.g. VoIP or other communication services) for 
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the mobile device. The WLAN may have one or more 
primary ESSIDs associated with one or more different 
VLANs of the WLAN which permit access to different 
services from each other. In order to obtain a primary 
ESSIDto gain access to such services, the mobile device 
is adapted to perform a wireless network provisioning 
procedure with the WLAN. Specifically, the mobile device 
makes use of a provisioning ESSID associated with a 
provisioning VLAN of the WLAN for the provisioning pro- 
cedure. The provisioning VLAN is adapted to perform the 
provisioning procedure with the mobile device, but oth- 
erwise allows for limited or no otherservicesinthe WLAN 
for the mobile device. The provisioning ESSID may be, 
for example, a predetermined fixed ESSID utilized for all 
mobile devices (i.e. the same fixed ESSID) which is 
stored in memory. The provisioning ESSID is used ini- 
tially by the mobile device to associate with an AP of the 
provisioning VLAN (i.e. the provisioning wireless AP with- 
in the secured area) in orderto subsequently receive and 
store a primary ESSID associated with the primary VLAN 
of the WLAN. The mobile device may then use conven- 
tional or other techniques for associating with APs of the 
primary VLAN using this primary ESSID. 
[0041] Beginning at a start block 601 of FIG. 6, a no- 
tification of an intentto provision a mobile communication 
device is received (step 602 of FIG. 6). At this time, the 
opportunity for the end user/mobile device to provision 
the mobile device is identified. If the end user is granted 
access to the secure provisioning area of the provisioning 
wireless AP (step 506 of FIG. 5), then the provisioning 
process of the flowchart will continue; otherwise any con- 
nection for provisioning in the network is denied (step 
605 of FIG. 6). The test in step 603 may be performed 
at least in part with use of a security access controller 
(e.g. security access controller 330 of FIG. 3 or controller 
430 of FIG. 4). The security access controller may be or 
include a wireless access control unit, a keypad entry 
control unit (identification and/or password), an electron- 
ic push-button or manual key which unlocks an entry door 
by human (e.g. security guard) intervention, or a finger- 
print or retina scanner unit, as examples, that controls 
the opening of the entry door. In general, a received iden- 
tification and/or password of the accessing party is com- 
pared with a known identification and/or password and, 
if there is a match, the security access controller causes 
the entry door to be unlocked and/or opened; otherwise 
the entry door remains locked and unopened. 
[0042] If the end user is granted access to the secure 
provisioning area of the provisioning wireless AP (step 
603 of FIG. 5), then the user will enter the restricted area 
and place the mobile device in a physical location within 
the secure provisioning area so that the mobile device 
may communicate via RF signals with the provisioning 
wireless AP. Using a coverage restriction apparatus of 
the type in FIG. 3, the mobile device may be placed an- 
ywhere within the secure provisioning area 340, assum- 
ing provisioning wireless AP 190 is transmitting at nom- 
inal RF transmit power level and coverage area is less 



than the open air RF coverage area generated by the 
AP. Using a coverage restriction apparatus of the type 
in FIG. 4, the user must place the mobile device within 
controlled RF coverage area 440 of provisioning wireless 

5 AP 1 90. Once the mobile device is placed within the cov- 
erage area of provisioning wireless AP, the mobile device 
may then communicate with the provisioning wireless AP 
to gain access to the WLAN (or provisioning VLAN of the 
WLAN) and request provisioning services. 

10 [0043] The provisioning procedure is initiated when the 
mobile device is located within an RF coverage area of 
the provisioning wireless AP. When the mobile device is 
operating, it searches for access points within its cover- 
age range. Next, the mobile device sends one or more 

15 probe requests using its provisioning ESSID (step 604 
of FIG. 6). In this step, the mobile device may use 802.1 1 
management frames known as probe request frames to 
send the probe requests. Specifically, the mobile device 
sends probe requests on every channel that it supports 

20 in an attempt to find all access points in range that match 
the provisioning ESSID. The mobile device sends these 
requests to the provisioning wireless AP by performing 
programmed algorithms within its microprocessor and/or 
MAC/BB processor (FIG. 2). Next, the mobile device 

25 monitors to receive probe response commands from the 
provisioning wireless AP and other APs within the range 
of the mobile device (step 606 of FIG. 6). If no association 
can be made using the provisioning ESSID, no probe 
responses will be received by the mobile device. In this 

30 case, the mobile device will continue the sending of probe 
requests using the provisioning ESSID (step 604) and 
monitoring for probe requests from APs (step 606). Once 
a probe response is properly received from the provision- 
ing wireless AP in step 606, the mobile device will asso- 

35 ciate with the AP for communications (step 608 of FIG. 
6). This step establishes layer-2 communications be- 
tween and the mobile device and the WLAN. As an al- 
ternative to the probe request/response protocol of steps 
604 and 606, some APs may regularly broadcast the pro- 

40 visioning ESSIDs in "beacons." In this case, the mobile 
device would compare the provisioning ESSID broad- 
casted by the AP with its own provisioning ESSID and, 
if there is a match, associate with the AP of the provi- 
sioning VLAN. 

45 [0044] After the mobile device associates with the pro- 
visioning wireless AP in step 608, the mobile device mon- 
itors to receive an Internet Protocol (IP) address from the 
WLAN (step 610 of FIG. 6). The IP address may be dy- 
namically assigned by the network, for example, with use 

50 of an address assignor (e.g. address assignor 120 of 
FIG. 1) which may be a dynamic host configuration pro- 
tocol (DHCP) server. This establishes layer-3 communi- 
cations between the mobile device and the WLAN. 
[0045] Once the mobile device properly receives the 

55 assigned IP address from the DHCP server, the mobile 
device performs an authentication procedure with a pro- 
visioning server (provisioning server 128 of FIG. 1) of the 
provisioning VLAN (step 612 of FIG. 6). Previously, the 
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mobile device may receive a network address of the pro- 
visioning serverfrom the provisioning wireless AP so that 
the authentication procedure with the provisioning server 
may be initiated. Given that secure access has already 
been provided, the authentication steps 61 2 and 614 are 
optional. In the authentication procedure, the mobile de- 
vice sends authentication information (e.g. network pass- 
word, fingerprint data, orthe like) to the provisioning serv- 
er. The authentication information may be unique to each 
WLAN or terminal. The mobile device then monitors to 
receive an authentication response from the provisioning 
wireless (step 614 of FIG. 6). The authentication re- 
sponse may indicate to the mobile device that authenti- 
cation is denied for that WLAN (e.g. where network pass- 
word is incorrect). If authentication is denied by the 
WLAN, association between the mobile device and the 
provisioning wireless AP will be aborted (step 61 6 of FIG. 
6). 

[0046] Once the mobile device has received a positive 
authentication response from the provisioning wireless 
AP, it is understood that it has gained network access 
for provisioning that it desires. In response to the positive 
authentication from the AP at step 61 4, the mobile device 
will send a provisioning request for an ESSID to provi- 
sioning server 1 28 to obtain a primary ESSID of the pri- 
mary VLAN of the WLAN (step 61 8 of FIG. 6). The mobile 
device then monitors to receive a response from the pro- 
visioning wireless AP (step 620 of FIG. 6). The response 
may indicate to the mobile device that the request is de- 
nied and, if so, access to the WLAN is denied and asso- 
ciation between the mobile device and AP 190 may be 
aborted (step 622 of FIG. 6). If a positive response is 
received at step 620, the primary ESSID (e.g. the enter- 
prise-specific ESSID) of the primary VLAN of the WLAN 
is wirelessly received from the provisioning VLAN and 
programmed or stored in an internal network list in mem- 
ory of the mobile device (step 624 of FIG. 6). During this 
timeframe, the mobile device may also receive additional 
information, such as network access security keys and 
network server names/addresses for a VoIP server, a 
SIP server, and an e-mail server, as examples. Once the 
primary ESSID and any other information are obtained 
and stored in memory, the mobile device may proceed 
to utilize the primary VLAN of the WLAN for services (step 
626 of FIG. 6). 

[0047] FIG. 7 is a flowcharter describing an illustrative 
method of a secure wireless network provisioning proce- 
dure from the network perspective. Again in this example, 
provisioning information, namely a network identification 
or ESSID, is provisioned in the mobile device. The meth- 
od of FIG. 7 may be performed by equipment of the 
WLAN, and/or be embodied in a computer program prod- 
uct which includes a computer readable medium (e.g. 
memory) and computer instructions stored in the storage 
medium which are executable by one or more proces- 
sors. 

[0048] Prior to discussing FIG. 7 in detail, note again 
that the WLAN has a primary VLAN which is associated 



with a primary network identifier (i.e. the primary ESSID) 
and a provisioning VLAN of the WLAN which is associ- 
ated with a provisioning network identifier (i.e. the provi- 
sioning ESSID) and includes a provisioning server. The 

5 primary VLAN of the WLAN is adapted to provide one or 
more services (e.g. VoIP or other communication serv- 
ices) for the mobile device. The WLAN may, in fact, have 
one or more primary ESSIDs associated with one or more 
different VLANs of the WLAN which permit access to 

10 different services from each other. On the other hand, 
the provisioning VLAN is adapted to perform the provi- 
sioning procedure with the mobile device, but otherwise 
allows for limited or no other services in the WLAN for 
the mobile device. The provisioning ESSID may be a 

15 predetermined fixed ESSID utilized for all mobile devices 
(i.e. the same fixed ESSID) which is stored in memory. 
The provisioning ESSID is used initially by the mobile 
device to associate with an AP of the provisioning VLAN 
(i.e. the provisioning wireless AP within the secured area) 

20 in order to subsequently receive and store the primary 
ESSID associated with the primary VLAN of the WLAN. 
The mobile device may then use conventional or other 
techniques for associating with APs of the primary VLAN 
using the primary ESSID. 

25 [0049] The discussion of FIG. 7 may make reference 
to both FIGs. 1 , 3, 4 and 7 in combination. Beginning at 
a start block 701 of FIG. 7, a notification of an intent to 
provision a mobile communication device is received 
(step 702 of FIG. 7). At this time, the opportunity for the 

30 end user/mobile device to provision the mobile device is 
identified. If the end user is granted access to the secure 
provisioning area (e.g. area 340 of FIG. 3 or area 402 of 
FIG. 4) of the provisioning wireless AP (step 703 of FIG. 
7), then the provisioning process of the flowchart will con- 

35 tinue; otherwise any connection for provisioning in the 
network is denied (step 705 of FIG. 7). The test in step 
703 may be performed at least in part with use of a se- 
curity access controller (e.g. security access controller 
330 of FIG. 3 or controller 430 of FIG. 4). The security 

40 access controller may be or include a wireless access 
control unit, a keypad entry control unit (identification 
and/or password), an electronic push-button or manual 
key which unlocks an entry door by human (e.g. security 
guard) intervention, or a fingerprint or retina scanner unit, 

45 as examples, that controls the opening of the entry door. 
In general, a received identification and/or password of 
the accessing party is compared with a known identifica- 
tion and/or password and, if there is a match, the security 
access controller causes the entry door to be unlocked 

50 and/or opened; otherwise the entry door remains locked 
and unopened. 

[0050] If the end user is granted access to the secure 
provisioning area of the provisioning wireless AP (step 
703 of FIG. 5), then the user will enter the restricted area 
55 and place the mobile device in a physical location within 
the secure provisioning area so that the mobile device 
may communicate via RF signals with the provisioning 
wireless AP. Using a coverage restriction apparatus of 
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the type in FIG. 3, the mobile device may be placed an- 
ywhere within the secure provisioning area 340, assum- 
ing provisioning wireless AP 190 is transmitting at nom- 
inal RF transmit power level and coverage area is less 
than the open air RF coverage area generated by the 
AP. Using a coverage restriction apparatus of the type 
in FIG. 4, the user must place the mobile device within 
controlled RF coverage area 440 of provisioning wireless 
AP 190. Once the mobile device is placed within the cov- 
erage area of provisioning wireless AP 190, the mobile 
device may then communicate with the AP to gain access 
to the WLAN (or provisioning VLAN of the WLAN) and 
request provisioning services. 

[0051] Next, the provisioning wireless AP monitors its 
RF channels for probe requests from mobile devices 
(step 704 of FIG. 7). In this step, probe requests are re- 
ceived in 802.11 management frames known as probe 
request frames. The mobile device sends probe requests 
on every channel that it supports in an attempt to find all 
access points in range that have the provisioning ESSI D. 
If a probe request having the primary ESSID of the pri- 
mary VLAN is received (step 706 of FIG. 7), then the 
flowchart continues through steps 718 and 720 which is 
described later. If the probe request does not have the 
primary ESSID (step 706) but rather includes the provi- 
sioning ESSID (step 708 of FIG. 7), then the provisioning 
wireless AP sends a probe response to the mobile device 
(step 710 of FIG. 7) and the mobile devices associates 
with the AP (step 712 of FIG. 7). This establishes layer- 
2 communications between the mobile device and the 
WLAN. As an alternative to the probe request/response 
protocol, some APs may regularly broadcast the provi- 
sioning ESSIDs in "beacons." In this case, the mobile 
device would compare the provisioning ESSID broad- 
casted by the provisioning wireless AP with its own pro- 
visioning ESSID and, if there is a match, associate with it. 
[0052] After the mobile device associates with the pro- 
visioning wireless AP in step 608, the network assigns 
and sends an Internet Protocol (IP) address to the mobile 
device (step 714 of FIG. 7). The IP address may be dy- 
namically assigned by the network, for example, with use 
of an address assignor (e.g. address assignor 120 of 
FIG. 1) which may be a dynamic host configuration pro- 
tocol (DHCP) server. This establishes layer-3 communi- 
cations between the mobile device and the WLAN. 
Sometime after the WLAN sends the assigned IP ad- 
dress from the DHCP server in step 714, the provisioning 
server (provisioning server 128 of FIG. 1) of the provi- 
sioning VLAN performs an authentication procedure with 
the mobile device. Here, authentication request and au- 
thentication information is received from the mobile de- 
vice (step 716 of FIG. 7). The provisioning wireless AP 
may send a network address of the provisioning server 
to the mobile device so that the authentication procedure 
with the provisioning server may be initiated. The authen- 
tication information may be unique to each WLAN or ter- 
minal, and may include a network password, fingerprint 
data, or the like. 



[0053] The authentication response may indicate to 
the mobile device that authentication is denied for that 
WLAN (e.g. where network password is incorrect) (step 
726 of FIG. 7). If authentication is denied by the WLAN, 

5 association between the mobile device and the provision- 
ing wireless AP may be aborted. If the authentication 
information is correct at step 722, then it is understood 
that the mobile device has gained network provisioning 
access for provisioning. After a positive authentication 

10 from the provisioning wireless AP at step 724, the provi- 
sioning VLAN receives a provisioning request for an ES- 
SID from the mobile device to receive a primary ESSID 
of the primary VLAN of the WLAN (step 728 of FIG. 7). 
If not, access to the WLAN is denied (step 724 of FIG. 

15 7) and association between the mobile device and the 
provisioning wireless AP may be aborted. After receiving 
the provisioning request in step 728, the provisioning 
VLAN causes the primary ESSID (e.g. the enterprise- 
specific ESSID) of the primary VLAN of the WLAN to be 

20 wirelessly transmitted from the provisioning wireless AP 
to the mobile device (step 730 of FIG. 7). This primary 
ESSID is stored in an internal network list in memory of 
the mobile device. During this timeframe, the WLAN may 
also send additional information, such as network access 

25 security keys and network server names/addresses for 
a VoIP server, a SIP server, and an e-mail server, as 
examples. Once the primary ESSID and any other infor- 
mation are sent by the provisioning VLAN and stored in 
memory of the mobile device, the primary VLAN of the 

30 WLAN may provide services to the mobile device where 
it utilizes the primary ESSID for association with APs of 
the WLAN (step 732 of FIG. 7). 

[0054] Moving ahead, FIGs. 8 and 9 describe an adap- 
tive beamforming method that may be used to further 

35 reduce or restrict an RF coverage area within a secured 
room structure such as those shown in FIGs. 3 and 4. 
The adaptive beamforming communications equipment 
may be located within a secured room structure similar 
to those shown in FIGs. 3 and 4. In a secured room struc- 

40 ture, walls and doors used to provide restricted access 
to a secured room structure may or may not be conduc- 
tive depending on security requirements for the provi- 
sioning area. In general, during a configuration procedure 
for the provisioning wireless AP, RF signals to and from 

45 a plurality of communication devices are transmitted and 
received by the AP. The plurality of communication de- 
vices include a first group of communication devices lo- 
cated within an RF coverage boundary of a desired pro- 
visioning coverage region. The plurality of communica- 

50 tion devices also include a second group of communica- 
tion devices located along and outside the RF coverage 
boundary of the desired provisioning coverage region. 
Parameters of a wireless transceiver of the provisioning 
wireless AP are determined and setto adjust boundaries 

55 of an RF coverage region, such that RF signal coverage 
of the first group of communication devices is maximized 
but RF signal coverage of the second group of commu- 
nication devices is minimized. Preferably, the parame- 



10 



19 



EP 1 876 759 A1 



20 



ters of the wireless transceiver are determined through 
use of an adaptive beamforming technique which is per- 
formed automatically by the wireless AP without user in- 
tervention. 

[0055] More particularly in FIG. 8, a schematic block 
diagram of basic components of a provisioning wireless 
AP 800 which serves as an RF coverage shaping mech- 
anism in the WLAN is shown. Wireless AP 800 is further 
adapted to perform part of a configuration procedure with 
use of an adaptive beamforming technique. As shown in 
FIG. 8, wireless AP 800 includes a processor 802 (e.g. 
a microprocessor, microcontroller, and/or digital signal 
processor), memory 810 coupled to processor 802, a 
wireless transceiver 804 coupled to processor 802, an 
antenna array 806 coupled to wireless transceiver 804, 
a user interface 812 coupled to processor 802, and a 
power source interface 81 4. Although only one processor 
802 and only one wireless transceiver 804 are shown in 
FIG. 8, processor 802 may be embodied as two or more 
processors (e.g. microprocessor and DSP) and wireless 
transceiver 804 may be embodied as two or more wire- 
less transceiver portions. Power source interface 814 
supplies power to all electrical components of wireless 
AP 800 by interfacing with a power source (e.g. AC pow- 
er, battery, and/or solar power). 

[0056] Processor 802 of wireless AP 800 includes an 
adaptive beamforming process 814 which helps deter- 
mine transceiver parameters 81 6 for wireless transceiver 
804 which are stored in memory 810. Adaptive beam- 
forming process 814 may be embodied as computer in- 
structions which are executable by processor 802. Trans- 
ceiver parameters 81 6 are used by wireless AP 800 to 
establish its RF coverage region when it serves as the 
provisioning mechanism in the WLAN (orthe provisioning 
VLAN of the WLAN). A set of transceiver parameters 816 
may be stored for each frequency or frequency pair as- 
sociated with all of the usable frequency channels of the 
relevant RF band for RF communications. The basic 
components of wireless AP 800 of FIG. 8 may be partic- 
ularly utilized. User interface 812, which may be or in- 
clude user actuable switches or keys (e.g. directly on a 
housing of wireless AP 800 or through a computer ter- 
minal (e.g. PC) connected to wireless AP 800), for ex- 
ample, may be utilized to initiate the configuration pro- 
cedure and adaptive beamforming process 814. That is, 
the configuration procedure/adaptive beamforming tech- 
nique of wireless AP 800 may be initiated in response to 
a user interface signal from user interface 812. 
[0057] Showing more exemplary detail, FIG. 9 is a 
schematic diagram of wireless transceiver components 
900 of the wireless AP which are adapted to perform an 
adaptive beamforming technique for configuration of the 
wireless AP. In the example of FIG. 9, the receiver portion 
is shown but the transmitter portion may utilize a similar 
approach. In FIG. 9, wireless transceiver components 
900 include an antenna array having a plurality of anten- 
nas, where each antenna is coupled to a separate cor- 
responding RF front end component. A frequency syn- 



thesizer, which receives a fixed oscillator frequency sig- 
nal from an oscillator ("NCO"), is coupled to each RF 
front end component. Each RF front end component has 
an output coupled to an input of an analog-to-digital con- 

5 verter (A/D), which has an output coupled to signal de- 
modulators (which include signal mixers) and subse- 
quent low pass filters. Outputs from the low pass filters 
are coupled to inputs of a digital signal processor (DSP). 
The controller serves to control the adaptive beamform- 

10 ing process for producing transceiver parameters in the 
configuration procedure for the DSP. Note that there are 
many different types of adaptive beamforming algo- 
rithms, conventional or otherwise, which may be utilized 
within the wireless AP. With adaptive beamforming, each 

15 RF signal is multiplied with complex weights that adjust 
a magnitude and a phase of the RF signal to and from 
each antenna in the antenna array. This causes the out- 
put from the antenna array to form a transmit/receive 
beam in the desired direction, while minimizing the output 

20 in other directions. The application of complex weights 
to the RF signals from different antennas of the antenna 
array involves complex multiplications that may map onto 
embedded DSP blocks of the DSP. 
[0058] Referring now to FIG. 10, a flowchart of a meth- 

25 od of configuring the provisioning wireless AP for use as 
the provisioning mechanism in the WLAN is shown. The 
following description of FIG. 1 0 relates to the description 
of FIGs. 8-9 above. The method of FIG. 1 0 may be em- 
bodied at least in part as a computer program product 

30 which includes a computer readable medium and com- 
puter instructions stored in the computer readable medi- 
um which are executable by one or more processors of 
the wireless AP for performing the method. After its ini- 
tiation, the technique is performed automatically by the 

35 one or more processors withoutfurther user intervention. 
[0059] Beginning at a start block 1002 of FIG. 10, a 
plurality of mobile communication devices for the config- 
uration procedure are provided and fixedly positioned 
around a desired RF provisioning coverage region of the 

40 provisioning wireless AP both within and outside of the 
region (step 1004 of FIG. 10). Specifically, a first group 
of mobile devices is located within and around RF provi- 
sioning coverage boundaries of the desired RF provision- 
ing coverage region of the WLAN. A second group of 

45 mobile devices is located along and outside the RF cov- 
erage boundaries of the provisioning coverage region. 
The positioning of the mobile devices is performed by 
one or more individuals, with or without the assistance 
of any other WLAN feedback signal mechanisms if nec- 

50 essary. 

[0060] Aftermobile device positioning, radio frequency 
(RF) signals to/from the mobile devices are transmitted/ 
received by the wireless AP (step 1006 of FIG. 10). An 
RF signal coverage region of the wireless AP is then ad- 
55 justed and set based on the RF signals using an adaptive 
beamforming technique (step 1008 of FIG. 10). Specifi- 
cally, transceiver parameters of the wireless transceiver 
of the wireless AP are adjusted and set such that RF 
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signal coverage of the first group of mobile devices is 
maximized but RF signal coverage of the second group 
of mobile devices is minimized (step 1010 of FIG. 10). 
The RF signals from each mobile device may include a 
mobile device identifier which uniquely identifies the mo- 
bile device, amongst other data. Mobile device identifiers 
may also be stored in memory of the wireless AP, and 
assigned or associated in advance with an indication cor- 
responding to either one group (e.g. within desired pro- 
visioning coverage) or another group (e.g. outside of de- 
sired provisioning coverage). The wireless AP deter- 
mines which RF signals should be maximized or mini- 
mized based on the mobile device identifier associated 
with the RF signal and the indication (received and/or 
stored in memory) of whether the mobile device should 
or should not be within the AP tripwire coverage. Once 
the transceiver parameters are obtained, they are stored 
in memory for use by the wireless AP tripwire (step 1012 
of FIG. 10). 

[0061] Yet even another technique that may be used 
to control RF coverage area within a secured room struc- 
ture, which would provide a secure provisioning area, is 
shown in the block diagram in FIG. 1 1 . A wall structure 
1110 and an entry door 1 125 provide restricted access 
to a controlled RF coverage area 1 1 40 that is surrounded 
by wall structure 1110 and entry door 1 1 25. The control- 
led, restricted RF coverage area 1140 is preferably a 
substantially smaller RF coverage area than RF cover- 
age areas of the plurality of wireless APs of the WLAN. 
Access to the secure provisioning area may be by use 
of a secure entry controller 1 130, which may be in the 
form described earlier, for controlling entry door 1125. 
The controlled RF coverage area 1 1 40 may be a function 
of two or more RF radiation lobes 1122. The example 
shown in FIG. 1 1 consists of four RF sources 1 120, which 
may represent individual APs, antennae, or similar radi- 
ation devices. Each RF source is coupled to a control 
circuit 1132, which will control the RF sources accord- 
ingly to create the necessary coverage area. In this ex- 
ample, if RF sources 1120 are antennae, then control 
circuit 1 1 32 may be an antenna coupler that delivers RF 
energy at different phase offsets or it may be a series of 
APs with each AP delivering a different RF signal to each 
RF source 1 120. RF sources 1 120 may alternatively be 
APs, which would then dictate that control circuit 1 132 
be a group of APs which would each be connected to a 
single antenna. 

[0062] Thus, methods and apparatus for use in provi- 
sioning a mobile communication device in a wireless local 
area network (WLAN) having a plurality of wireless ac- 
cess points (APs) have been described herein. In one 
illustrative method, a provisioning procedure is per- 
formed between the mobile communication device and 
the WLAN via the provisioning wireless AP while the mo- 
bile communication device is positioned within a provi- 
sioning radio frequency (RF) coverage region of the pro- 
visioning wireless AP. However, the provisioning RF cov- 
erage region is otherwise confined so that a plurality of 



other mobile communication devices of the WLAN are 
restricted from access therefrom during the provisioning 
procedure. The provisioning RF coverage region may be 
confined by providing the provisioning wireless AP within 

5 a secured room, by providing an electromagnetic shield 
around the provisioning wireless AP, or both, as exam- 
ples. The provisioning RF coverage region may have a 
substantially smaller RF coverage area than RF cover- 
age areas of the plurality of wireless APs of the WLAN, 

10 whether through reduced transmission power or through 
beamforming circuitry of the provisioning wireless AP. 
Further techniques may be employed to provision a pri- 
mary ESSID of the WLAN with use of a provisioning ES- 
SID of the provisioning wireless AP. 

15 [0063] Provisioning equipment of the present disclo- 
sure for a WLAN which includes a plurality of wireless 
APs for wireless communications with a plurality of mo- 
bile communication devices may comprise a provisioning 
wireless AP for the WLAN and a wireless AP coverage 

20 restriction apparatus which is configured to confine a pro- 
visioning radio frequency (RF) coverage region of the 
provisioning wireless AP so as to restrict the plurality of 
mobile communication devices from access therewithin 
without confining RF coverage regions of the plurality of 

25 wireless APs. The wireless AP coverage restriction ap- 
paratus may be or include a secured room structure with- 
in which the provisioning wireless AP is provided for con- 
fining the provisioning RF coverage region, or an elec- 
tromagnetic shield which surrounds the provisioning 

30 wireless AP. The provisioning RF coverage region may 
have a substantially smaller RF coverage area than RF 
coverage areas of the plurality of wireless APs of the 
WLAN, through reduced transmission power or through 
beamforming circuitry of the wireless AP. A provisioning 

35 server may be included in such provisioning equipment. 
For example, the provisioning server may be configured 
to cause an extended set service identifier (ESSID) to be 
sent to the mobile communication device via the provi- 
sioning wireless AP during the provisioning procedure 

^o forprogramming in memory of the mobile communication 
device, sothatthe mobile communication device is there- 
after programmed to associate with any of the plurality 
of wireless APs of the WLAN. 

[0064] A wireless local area network (WLAN) of the 
45 present disclosure includes a plurality of wireless access 
points (AP) which are configured to provide a radio fre- 
quency (RF) coverage region for the WLAN for wireless 
communications with a plurality of mobile communication 
devices; a provisioning wireless AP; a provisioning server 
50 which is configured to perform a provisioning procedure 
with a mobile communication device through the provi- 
sioning wireless AP; and a wireless AP coverage restric- 
tion apparatus which is configured to confine a provision- 
ing RF coverage region of the provisioning wireless AP 
55 so as to restrict the plurality of mobile communication 
devices from access therewithin. The coverage restric- 
tion apparatus may comprise a secured room structure 
within which the provisioning wireless AP is provided for 
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confining the provisioning RF coverage region, and/or an 
electromagnetic shield which surrounds the provisioning 
wireless AP. The coverage restriction apparatus may 
configured to cause the provisioning RF coverage region 
to have a substantially smaller RF coverage area than 
RF coverage areas of the plurality of wireless APs of the 
WLAN, through reduced transmission power or through 
beamforming circuitry of the wireless AP. The provision- 
ing server may be configured to cause an ESSID to be 
sent to the mobile communication device via the provi- 
sioning wireless AP during the provisioning procedure 
forprogrammingin memory ofthe mobile communication 
device, so that the mobile communication device is pro- 
grammed to associate with any of the plurality of wireless 
APs of the WLAN. 

[0065] The above-described embodiments of the 
present disclosure are intended to be examples only. 
Those of skill in the art may effect alterations, modifica- 
tions and variations to the particular embodiments with- 
out departing from the scope of the application. For ex- 
ample, although 802.1 1 -based networks have been de- 
scribed in the preferred embodiment, other suitable net- 
work technologies may be utilized such as 802.1 6-based 
network (i.e. WiMAX) technologies. The invention de- 
scribed herein in the recited claims intends to cover and 
embrace all suitable changes in technology. 



Claims 

1. A method for use in provisioning a mobile commu- 
nication device in a wireless local area network 
(WLAN) which includes a plurality of wireless access 
points (APs) for wireless communications with a plu- 
rality of mobile communication devices, the method 
comprising the acts of: 

providing a provisioning wireless AP for the 
WLAN having the plurality of wireless APs; 
causing a provisioning procedure to be per- 
formed between the mobile communication de- 
vice and the WLAN via the provisioning wireless 
AP while the mobile communication device is 
positioned within a provisioning radio frequency 
(RF) coverage region of the provisioning wire- 
less AP; and 

causing the provisioning RF coverage region of 
the provisioning wireless AP to be otherwise 
confined so as to restrict the plurality of mobile 
communication devices from access therewith- 
in. 

2. The provisioning method of claim 1 , wherein the act 
of causing the provisioning RF coverage region to 
be confined comprises the further act of providing 
the provisioning wireless AP within a secured room 
structure which confines the provisioning RF cover- 
age region. 



3. The provisioning method of claim 1 , wherein the act 
of causing the provisioning RF coverage region to 
be confined comprises the further act of providing 
an electromagnetic shield which surrounds the pro- 

5 visioning wireless AP. 

4. The provisioning method of claim 1 , wherein the act 
of causing the provisioning RF coverage region to 
be confined comprises the further act of causing the 
provisioning RF coverage region to have a substan- 
tially smaller RF coverage area than RF coverage 
areas of the plurality of wireless APs of the WLAN. 

5. The provisioning method of claim 1 , wherein the act 
of causing the provisioning RF coverage region to 
be confined comprises the further act of causing the 
provisioning RF coverage region to have a substan- 
tially smaller RF coverage area than RF coverage 
areas of the plurality of wireless APs with use of 
beamforming circuitry of the provisioning wireless 
AP. 

6. The provisioning method of claim 1 , further compris- 
ing: 

providing the plurality of wireless APs with RF 
coverage regions within which the plurality of 
mobile communication devices may communi- 
cate with the WLAN during the provisioning pro- 
cedure. 

7. The provisioning method of claim 1 , further compris- 
ing: 

for the provisioning procedure: 

causing an extended set service identifier 
(ESSID) of the WLAN to be sent from the 
provisioning wireless AP to the mobile com- 
munication device for programming in 
memory of the mobile communication de- 
vice, so that the mobile communication de- 
vice is thereafter programmed to associate 
with any of the plurality of wireless APs of 
the WLAN. 

8. The provisioning method of claim 1 , further compris- 
ing: 
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50 for the provisioning procedure: 

causing an association to be made between 
the mobile communication device and the 
provisioning wireless AP with use of a pro- 
55 visioning extended service set identifier 

(ESSID); 

afterthe association, causing a primary ES- 
SID of the WLAN to be sent from the provi- 
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sioning wireless AP to the mobile commu- 
nication device for programming in memory 
of the mobile communication device, so that 
the mobile communication device is there- 
after programmed to associate with any of 
the plurality of wireless APs of the WLAN. 

9. Provisioning equipment for a wireless local area net- 
work (WLAN) which includes a plurality of wireless 
access points (APs) for wireless communications 
with a plurality of mobile communication devices, the 
provisioning equipment comprising: 

a provisioning wireless access point (AP) forthe 
WLAN; and 

a wireless AP coverage restriction apparatus 
which is configured to confine a provisioning ra- 
dio frequency (RF) coverage region of the pro- 
visioning wireless AP so as to restrict the plural- 
ity of mobile communication devices from ac- 
cess therewithin without confining RF coverage 
regions of the plurality of wireless APs. 

10. The provisioning equipment of claim 9, wherein the 
wireless AP coverage restriction apparatus compris- 
es a secured room structure within which the provi- 
sioning wireless AP is provided for confining the pro- 
visioning RF coverage region. 

11. The provisioning equipment of claim 9, wherein the 
wireless AP coverage restriction apparatus compris- 
es an electromagnetic shield which surrounds the 
provisioning wireless AP. 

12. The provisioning equipment of claim 9, wherein the 
wireless AP coverage restriction apparatus is con- 
figured to causethe provisioning RF coverage region 
to have a substantially smaller RF coverage area 
than RF coverage areas of the plurality of wireless 
APs of the WLAN. 

13. The provisioning equipment of claim 9, wherein the 
wireless AP coverage restriction apparatus compris- 
es beamforming circuitry of the provisioning wireless 
AP which is configured to cause the provisioning RF 
coverage region to have a substantially smaller RF 
coverage area than RF coverage areas of the plu- 
rality of wireless APs of the WLAN. 

14. The provisioning equipment of claim 9, further com- 
prising: 

a provisioning server; and 
the provisioning server being configured to 
cause an extended set service identifier (ES- 
SID) to besenttothe mobile communication de- 
vice via the provisioning wireless AP during the 
provisioning procedure for programming in 



memory of the mobile communication device, 
so that the mobile communication device is 
thereafter programmed to associate with any of 
the plurality of wireless APs of the WLAN. 

5 

15. The provisioning equipment of claim 9, further com- 
prising: 

the provisioning wireless AP being configured 
10 to cause an association to be made with the mo- 

bile communication device with use of a provi- 
sioning extended service set identifier (ESSID); 
a provisioning server; and 
the provisioning server being configured to 
15 cause a primary extended set service identifier 

(ESSID) of the WLAN to be sent to the mobile 
communication device via the provisioning wire- 
less AP during the provisioning procedure for 
programming in memory of the mobile commu- 
te nication device, so that the mobile communica- 
tion device is thereafter programmed to associ- 
ate with any of the plurality of wireless APs of 
the WLAN. 

25 16. A wireless local area network (WLAN) comprising: 

a plurality of wireless access points (AP) which 
are configured to provide a radio frequency (RF) 
coverage region forthe WLAN for wireless corn- 
so munications with a plurality of mobile communi- 
cation devices; 
a provisioning wireless AP; 
a provisioning server which is configured to per- 
form a provisioning procedure with a mobile 
35 communication device through the provisioning 
wireless AP; and 

a wireless AP coverage restriction apparatus 
which is configured to confine a provisioning RF 
coverage region of the provisioning wireless AP 
40 so as to restrict the plurality of mobile commu- 

nication devices from access therewithin. 

1 7. The WLAN of claim 1 6, wherein the coverage restric- 
tion apparatus comprises a secured room structure 

45 within which the provisioning wireless AP is provided 
for confining the provisioning RF coverage region. 

18. The WLAN of claim 1 6, wherein the coverage restric- 
tion apparatus comprises an electromagnetic shield 

50 which surrounds the provisioning wireless AP. 

19. The WLAN of claim 1 6, wherein the coverage restric- 
tion apparatus is configured to cause the provision- 
ing RF coverage region to have a substantially small- 

55 er RF coverage area than RF coverage areas of the 
plurality of wireless APs of the WLAN. 

20. The WLAN of claim 1 6, wherein the coverage restric- 
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tion apparatus comprises beamforming circuitry of 
the provisioning wireless AP which is configured to 
cause the provisioning RF coverage region to have 
a substantially smaller RF coverage area than RF 
coverage areas of the plurality of wireless APs of the 5 
WLAN. 

21. The WLAN of claim 16, further comprising: 

the provisioning server being configured to 10 
cause an extended set service identifier (ES- 
SID) to besenttothe mobile communication de- 
vice via the provisioning wireless AP during the 
provisioning procedure for programming in 
memory of the mobile communication device, 15 
so that the mobile communication device is pro- 
grammed to associate with any of the plurality 
of wireless APs of the WLAN. 

22. The WLAN of claim 1 6, further comprising: 20 

the provisioning wireless AP being configured 
to cause an association to be made with the mo- 
bile communication device with use of a provi- 
sioning extended service set identifier (ESSID); 25 
and 

the provisioning server being configured to 
cause a primary extended set service identifier 
(ESSID) of the WLAN to be sent to the mobile 
communication device via the provisioning wire- 30 
less AP during the provisioning procedure for 
programming in memory of the mobile commu- 
nication device, so that the mobile communica- 
tion device is programmed to associate with any 
of the plurality of wireless APs of the WLAN. 35 



Amended claims in accordance with Rule 137(2) 
EPC. 

40 

1. A method for use in provisioning a mobile com- 
munication device (134) with provisioning informa- 
tion in a wireless local area network "WLAN" which 
includes a plurality of wireless access points "APs" 
(132, 142) for wireless communications with a plu- 45 
rality of mobile communication devices (136, 138, 
144, 146), the method comprising the acts of: 

providing a provisioning wireless AP (190) for 
the WLAN having the plurality of wireless APs 50 
(132, 142); 

providing the provisioning wireless AP (190) 
within a secured room the secured room being 
made of a secured room structure having a wall 
structure (31 0) and an entry door (320), the se- 55 
cured room structure being adapted to confine 
a provisioning radio frequency "RF" coverage 
region of the provisioning wireless AP (190) 



within the secured room and to restrict the plu- 
rality of mobile communication devices (136, 
138, 144, 146) from entry therewith in; 
providing a security access controller (330) for 
the secured room which is adapted to control an 
opening of the entry door (320) of the secured 
room in response to an authentication proce- 
dure for an accessing party having the mobile 
communication device (134); 
after proper authentication of the accessing par- 
ty: - 

allowing entrance for the accessing party 
having the mobile communication device 
(1 34) within the secured room via the entry 
door (320) using the security access con- 
troller (330); and 

causing a provisioning procedure to be per- 
formed between the mobile communication 
device (134) and the WLAN via the provi- 
sioning wireless AP (190) to program the 
provisioning information in the mobile com- 
munication device (134) while the mobile 
communication device (134) is positioned 
within the secured room and the provision- 
ing RF coverage region of the provisioning 
wireless AP (190). 

2. The provisioning method of claim 1 , wherein the 
authentication procedure comprises the further acts 
of: 

receiving an identification and/or password of 
the accessing party; 

comparing the identification and/or password of 
the accessing party with a known identification 
and/or password; and 

if there is a match between the identification 
and/or password of the accessing party and the 
known identification and/or password, causing 
the entry door (320) to be unlocked and/or 
opened by the security access controller (330) 
for allowing entrance for the accessing party 
within the secured room. 

3. The provisioning method of claim 1, security ac- 
cess controller (330) comprises one of a wireless 
access control unit and a keypad entry control unit 
for authentication of an identification and/or pass- 
word of the accessing party. 

4. The provisioning method of claim 1 , further com- 
prising: 

causing the provisioning RF coverage region to 
have a substantially smaller RF coverage area 
than RF coverage areas of the plurality of wire- 
less APs (132, 142) of the WLAN. 
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5. The provisioning method of claim 1 , further com- 
prising: 

causing the provisioning RF coverage region to 
have a substantially smaller RF coverage area 5 
than RF coverage areas of the plurality of wire- 
less APs (132, 142) with use of beamforming 
circuitry (814) of the provisioning wireless AP 
(190). 

10 

6. The provisioning method of claim 1 , wherein the 
secured room structure is constructed with one of a 
conductive electromagnetic shielding material and 
an RF absorption material to confine the provisioning 

RF coverage region within the secured room. 15 

7. The provisioning method of claim 1 , further com- 
prising: 

for the provisioning procedure: 20 



(320), the secured room structure being config- 
ured to confine a provisioning radio frequency 
"RF" coverage region of the provisioning wire- 
less AP (190) within the secured room and to 
restrict the plurality of mobile communication de- 
vices (136, 138, 144, 146) from entry therewith- 
in; and 

asecurity access controller (330) forthe secured 
room, the security access controller (330) being 
adapted to control an opening of the entry door 
(320) of the secured room in response to an au- 
thentication procedure for an accessing party 
having the mobile communication device (134) 
to allow entry for the accessing party. 

10. The provisioning equipment of claim 9, wherein 
the security access controller (330) comprises one 
of a wireless access control unit and a keypad entry 
control unit for authentication of an identification 
and/or password of the accessing party. 



causing an extended set service identifier 
"ESSID" of the WLAN to be sent from the 
provisioning wireless AP (1 90) to the mobile 
communication device (134) for program- 25 
ming in memory of the mobile communica- 
tion device (134), so that the mobile com- 
munication device (134) is thereafter pro- 
grammed to associate with any of the plu- 
rality of wireless APs (132, 142) of the 30 
WLAN. 

8. The provisioning method of claim 1 , further com- 
prising: 

35 

forthe provisioning procedure: 

causing an association to be made between 
the mobile communication device (1 34) and 
the provisioning wireless AP (1 90) with use ^o 
of a provisioning extended service set iden- 
tifier "ESSID". 



11. The provisioning equipment of claim 9, wherein 
the secured room structure is constructed with one 
of a conductive electromagnetic shielding material 
and an RF absorption material to confine the provi- 
sioning RF coverage region within the secured room. 

12. The provisioning equipment of claim 9, wherein 
the provisioning RF coverage region has a substan- 
tially smaller RF coverage area than RF coverage 
areas of the plurality of wireless APs (132, 142) of 
the WLAN. 

13. The provisioning equipment of claim 9, further 
comprising: 

beamforming circuitry (814) of the provisioning 
wireless AP (1 90) which is configured to cause 
the provisioning RF coverage region to have a 
substantially smaller RF coverage area than RF 
coverage areas of the plurality of wireless APs 
(132, 142) of the WLAN. 



9. Provisioning equipment for a wireless local area 
network "WLAN" which includes a plurality of wire- 45 
less access points "APs" for wireless communica- 
tions with a plurality of mobile communication devic- 
es (136, 138, 144, 146), the provisioning equipment 
comprising: 

50 

a provisioning wireless AP (190) forthe WLAN 

for use in provisioning a mobile communication 

device (134) with provisioning information; 

a wireless AP coverage restriction apparatus 

which includes a secured room within which the 55 

provisioning wireless AP (190) is located; 

a secured room structure of the secured room 

having a wall structure (310) and an entry door 



14. The provisioning equipment of claim 9, further 
comprising: 

a provisioning server (128); and 
the provisioning server (128) being configured 
to cause an extended set service identifier "ES- 
SID" to be sent to the mobile communication 
device (134) via the provisioning wireless AP 
(1 90) during the provisioning procedure for pro- 
gramming in memory of the mobile communica- 
tion device (134), so that the mobile communi- 
cation device (1 34) is thereafter programmed to 
associate with any of the plurality of wireless 
APs (132, 142) of the WLAN. 
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15. The provisioning equipment of claim 9, further 
comprising: 

the provisioning wireless AP (1 90) being config- 
ured to cause an association to be made with 5 
the mobile communication device (1 34) with use 
of a provisioning extended service set identifier 
"ESSID". 

1 6. A wireless local area network "WLAN" with a se- 10 
cure provisioning environment comprising: 

a plurality of wireless access points "APs" which 
are configured to provide a radio frequency "RF" 
coverage region for the WLAN for wireless com- 15 
munications with a plurality of mobile communi- 
cation devices (136, 138, 144, 146); 
a provisioning wireless AP (190); 
a provisioning server (128) which is configured 
to perform a provisioning procedure with a mo- 20 
bile communication device (134) through the 
provisioning wireless AP (190) to program pro- 
visioning information in the mobile communica- 
tion device (134); 

a secured room within which the provisioning 25 
wireless AP (1 90) is located; 
a secured room structure of the secured room 
having a wall structure (310) and an entry door 
(320), the secured room structure being config- 
ured to confine a provisioning RF coverage re- 30 
gion of the provisioning wireless AP (190) within 
the secured room and to restrict the plurality of 
mobile communication devices (136, 138, 144, 
146) from entry therewithin; and 
a security access controller (330) forthe secured 35 
room, the security access controller (330) being 
adapted to control an opening of the entry door 
(320) of the secured room in response to an au- 
thentication procedure for an accessing party 
having the mobile communication device (134) 
to allow entry for the accessing party. 

1 7. The WLAN of claim 1 6, wherein the security ac- 
cess controller (330) comprises one of a wireless 
access control unit and a keypad entry control unit 45 
for authentication of an identification and/or pass- 
word of the accessing party. 



20. The WLAN of claim 1 6, further comprising: 

beamforming circuitry (814) of the provisioning 
wireless AP (1 90) which is configured to cause 
the provisioning RF coverage region to have a 
substantially smaller RF coverage area than RF 
coverage areas of the plurality of wireless APs 
(132, 142) of the WLAN. 

21 . The WLAN of claim 1 6, further comprising: 

the provisioning server (128) being configured 
to cause an extended set service identifier "ES- 
SID" to be sent to the mobile communication 
device (134) via the provisioning wireless AP 
(1 90) during the provisioning procedure for pro- 
gramming in memory of the mobile communica- 
tion device (134), so that the mobile communi- 
cation device (134) is programmed to associate 
with any of the plurality of wireless APs (132, 
142) of the WLAN. 

22. The WLAN of claim 1 6, further comprising: 

the provisioning wireless AP (1 90) being config- 
ured to cause an association to be made with 
the mobile communication device with use of a 
provisioning extended service set identifier "ES- 
SID". 



1 8. The WLAN of claim 1 6, wherein the secured room 
structure is constructed with one of a conductive 50 
electromagnetic sheielding material and an RF ab- 
sorption material to confine the provisioning RF cov- 
erage region within the secured room. 

1 9. The WLAN of claim 1 6, wherein the provisioning 55 
RF coverage region has a substantially smaller RF 
coverage area than RF coverage areas of the plu- 
rality of wireless APs (132, 142) of the WLAN. 
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